Steps to Mitigate Spear Phishing

Why Technical Solutions May Work Better Than Training

While many organizations rely on employee training to help mitigate the risks of spear phishing, such efforts are generally ineffective, says Eric Johnson of Vanderbilt University, who explains why a technical solution might be more effective.

"That really puts the ball back into the technical court," he says. "That is, how can we protect users from ever being able to make a decision on these things either by ensuring they never receive the e-mail to begin with, warning them appropriately in the e-mail, or by catching them as they click and preventing that connection from occurring?

In the interview, Johnson:

Describes the results of the new study on spear-phishing mitigation training;

Explains why embedded training isn't always effective; and

Discusses possible ways to get employees to avoid clicking on links in spear-phishing e-mails.

Before joining the Vanderbilt faculty last summer, Johnson served as associate dean for the MBA program and faculty director of the Glassmeyer/McNamee Center for Digital Strategies at Dartmouth College's Tuck School of Business. His teaching and research focus on the impact of IT on the extended enterprise. Through federal grants, Johnson studies how IT improves process execution, but also how security failures create friction throughout the extended enterprise. He also focuses on the role of IT in improving healthcare quality and reducing cost.

Why Training Doesn't Mitigate Phishing

ERIC CHABROW: Your research paper outlines the relative costs and benefits from spear phishing campaigns. Tell us about that.

ERIC JOHNSON: One of the things we've learned over the years is that the weakest link in security is often the human being in the loop. Anytime that you can somehow deceive a human being, many times it's much easier to do that than to hack into something; you can make a lot of money. ... If you just think about the crazy spam that we all get in our inboxes, most of that stuff does not generate lots and lots of revenue, but very targeted spear phishing can be highly effective. What makes it so effective is it is so personal and that creates much higher open rates, click-through rates, and willingness to share sensitive information that can then be used and monetized. It's what makes spear phishing so lucrative.

CHABROW: Can you explain how some phishing attacks could net a profit of $150,000?

JOHNSON: It's really an order of magnitude more effective, and it really is only limited by the imagination and creativity of the attackers because, again, their research and creativity in building very, very focused attacks is what makes this so effective and potentially far more lucrative.

Security Professionals Phished

CHABROW: Can you talk about certain spear-phishing attacks where even some security companies have been hacked?

JOHNSON: That's the thing about this; even security professionals will click on links they shouldn't click on. They may not give up sensitive information, but they'll click on a link. There is something about clicking. My good friend, John Stewart at Cisco, said, "All links want to be clicked." There is just something in there, even for the most astute security folks, when you get a link that looks like it is real, looks like it came from a friend, has a compelling message, it's very hard to pull the finger back from the mouse.

Embedded Training

CHABROW: Why don't you define first what you mean by embedded training. And how widespread is the use of it to reduce the effectiveness of spear phishing?

JOHNSON: Spear phishing is just so effective, and there are ways, of course, technically that we can address that subject. We try to strip links out of e-mails and put link warnings into these kinds of things automatically. But the other side of that, of course, is trying to improve the human firewall. That is, train the users to better recognize suspicious situations or links. Embedded training is really a focused effort on that.